Authenticated stateless mount string for a distributed file system

ABSTRACT

A cluster of one or more computing devices is operably coupled to a plurality of storage devices. Each computing device in the cluster comprises a frontend and a backend. The backend comprises a plurality of buckets. Each bucket is operable to build a failure-protected stipe that spans two or more of the plurality of the storage devices. A file system comprises one or more failure-protected stipes. A client other than the one or more computing devices in the cluster is operable to access at least a portion of the file system via a stateless mount string comprising a cryptographically-signed key.

PRIORITY CLAIM

This application claims priority to the following application, which ishereby incorporated herein by reference:

U.S. provisional patent application 62/719,916 titled “AUTHENTICATEDSTATELESS MOUNT STRING FOR A DISTRIBUTED FILE SYSTEM” filed on Aug. 20,2018.

BACKGROUND

Limitations and disadvantages of conventional approaches to data storagewill become apparent to one of skill in the art, through comparison ofsuch approaches with some aspects of the present method and system setforth in the remainder of this disclosure with reference to thedrawings.

INCORPORATION BY REFERENCE

U.S. patent application Ser. No. 15/243,519 titled “Distributed ErasureCoded Virtual File system” is hereby incorporated herein by reference inits entirety.

BRIEF SUMMARY

Methods and systems are provided for an authenticated stateless mountstring in a distributed file system substantially as illustrated byand/or described in connection with at least one of the figures, as setforth more completely in the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates various example configurations of a distributed filesystem in accordance with aspects of this disclosure.

FIG. 2 illustrates an example configuration of a distributed file systemnode in accordance with aspects of this disclosure.

FIG. 3 illustrates another representation of a distributed file systemin accordance with an example implementation of this disclosure.

FIG. 4 illustrates an example of a computing device in an encrypted filesystem in accordance with one or more embodiments of the presentdisclosure.

FIG. 5 illustrates an example of a cluster of computing devices inaccordance with one or more embodiments of the present disclosure.

FIG. 6 illustrates an example a file system in accordance with one ormore embodiments of the present disclosure.

FIG. 7 is a flowchart illustrating an example method for accessing afile system in accordance with one or more embodiments of the presentdisclosure.

DETAILED DESCRIPTION

Traditionally, file systems use a centralized control over the metadatastructure (e.g., directories, files, attributes, file contents). If alocal file system is accessible from a single server and that serverfails, the file system's data may be lost if as there is no furtherprotection. To add protection, some file systems (e.g., as provided byNetApp) have used one or more pairs of controllers in an active-passivemanner to replicate the metadata across two or more computers. Othersolutions have used multiple metadata servers in a clustered way (e.g.,as provided by IBM GPFS, Dell EMC Isilon, Lustre, etc.). However,because the number of metadata servers in a traditional clustered systemis limited to small numbers, such systems are unable to scale.

The systems in this disclosure are applicable to small clusters and canalso scale to many, many thousands of nodes. An example embodiment isdiscussed regarding non-volatile memory (NVM), for example, flash memorythat comes in the form of a solid-state drive (SSD). The NVM may bedivided into 4 kB blocks and 128 MB chunks. Extents may be stored involatile memory, e.g., RAM for fast access, backed up by NVM storage aswell. An extent may store pointers for blocks, e.g., 256 pointers to 1MB of data stored in blocks. In other embodiments, larger or smallermemory divisions may also be used. Metadata functionality in thisdisclosure may be effectively spread across many servers. For example,in cases of “hot spots” where a large load is targeted at a specificportion of the file system's namespace, this load can be distributedacross a plurality of nodes.

FIG. 1 illustrates various example configurations of a distributed filesystem in accordance with aspects of this disclosure. Shown in FIG. 1 isa local area network (LAN) 102 comprising one or more nodes 120 (indexedby integers from 1 to J, for j 1), and optionally comprising (indicatedby dashed lines): one or more dedicated storage nodes 106 (indexed byintegers from 1 to M, for M 1), one or more compute nodes 104 (indexedby integers from 1 to N, for N≥1), and/or an edge router that connectsthe LAN 102 to a remote network 118. The remote network 118 optionallycomprises one or more storage services 114 (indexed by integers from 1to K, for K≥1), and/or one or more dedicated storage nodes 115 (indexedby integers from 1 to L, for L≥1).

Each node 120 _(j) (j an integer, where 1≤j≤J) is a networked computingdevice (e.g., a server, personal computer, or the like) that comprisescircuitry for running processes (e.g., client processes) either directlyon an operating system of the device 104 _(n) and/or in one or morevirtual machines running in the device 104 _(n).

The compute nodes 104 are networked devices that may run a virtualfrontend without a virtual backend. A compute node 104 may run a virtualfrontend by taking a single root input/output virtualization (SR-IOV)into the network interface card (NIC) and consuming a complete processorcore. Alternatively, the compute node 104 may run the virtual frontendby routing the networking through a Linux kernel networking stack andusing kernel process scheduling, thus not having the requirement of afull core. This is useful if a user does not want to allocate a completecore for the file system or if the networking hardware is incompatiblewith the file system requirements.

FIG. 2 illustrates an example configuration of a node in accordance withaspects of this disclosure. A node comprises a frontend 202 and driver208, a memory controller 204, a backend 206, and an SSD agent 214. Thefrontend 202 may be a virtual frontend; the memory controller 204 may bea virtual memory controller; the backend 206 may be a virtual backend;and the driver 208 may be a virtual drivers. As used in this disclosure,a virtual file system (VFS) process is a process that implements one ormore of: the frontend 202, the memory controller 204, the backend 206,and the SSD agent 214. Thus, in an example implementation, resources(e.g., processing and memory resources) of the node may be shared amongclient processes and VFS processes. The processes of the VFS may beconfigured to demand relatively small amounts of the resources tominimize the impact on the performance of the client applications. Thefrontend 202, the memory controller 204, and/or the backend 206 and/orthe SSD agent 214 may run on a processor of the host 201 or on aprocessor of the network adaptor 218. For a multi-core processor,different VFS process may run on different cores, and may run adifferent subset of the services. From the perspective of the clientprocess(es) 212, the interface with the virtual file system isindependent of the particular physical machine(s) on which the VFSprocess(es) are running. Client processes only require driver 208 andfrontend 202 to be present in order to serve them.

The node may be implemented as a single tenant server (e.g., bare-metal)running directly on an operating system or as a virtual machine (VM)and/or container (e.g., a Linux container (LXC)) within a bare-metalserver. The VFS may run within an LXC container as a VM environment.Thus, inside the VM, the only thing that may run is the LXC containercomprising the VFS. In a classic bare-metal environment, there areuser-space applications and the VFS runs in an LXC container. If theserver is running other containerized applications, the VFS may runinside an LXC container that is outside the management scope of thecontainer deployment environment (e.g. Docker).

The node may be serviced by an operating system and/or a virtual machinemonitor (VMM) (e.g., a hypervisor). The VMM may be used to create andrun the node on a host 201. Multiple cores may reside inside the singleLXC container running the VFS, and the VFS may run on a single host 201using a single Linux kernel. Therefore, a single host 201 may comprisemultiple frontends 202, multiple memory controllers 204, multiplebackends 206, and/or one or more drivers 208. A driver 208 may run inkernel space outside the scope of the LXC container.

A SR-IOV PCIe virtual function may be used to run the networking stack210 in user space 222. SR-IOV allows the isolation of PCI Express, suchthat a single physical PCI Express can be shared on a virtualenvironment and different virtual functions may be offered to differentvirtual components on a single physical server machine. The I/O stack210 enables the VFS node to bypasses the standard TCP/IP stack 220 andcommunicate directly with the network adapter 218. A Portable OperatingSystem Interface for uniX (POSIX) VFS functionality may be providedthrough lockless queues to the VFS driver 208. SR-IOV or full PCIephysical function address may also be used to run non-volatile memoryexpress (NVMe) driver 214 in user space 222, thus bypassing the Linux IOstack completely. NVMe may be used to access non-volatile storage media216 attached via a PCI Express (PCIe) bus. The non-volatile storagemedia 220 may be, for example, flash memory that comes in the form of asolid-state drive (SSD) or Storage Class Memory (SCM) that may come inthe form of an SSD or a memory module (DIMM). Other example may includestorage class memory technologies such as 3D-XPoint.

The SSD may be implemented as a networked device by coupling thephysical SSD 216 with the SSD agent 214 and networking 210.Alternatively, the SSD may be implemented as a network-attached NVMe SSD222 or 224 by using a network protocol such as NVMe-oF (NVMe overFabrics). NVMe-oF may allow access to the NVMe device using redundantnetwork links, thereby providing a higher level or resiliency. Networkadapters 226, 228, 230 and 232 may comprise hardware acceleration forconnection to the NVMe SSD 222 and 224 to transform them into networkedNVMe-oF devices without the use of a server. The NVMe SSDs 222 and 224may each comprise two physical ports, and all the data may be accessedthrough either of these ports.

Each client process/application 212 may run directly on an operatingsystem or may run in a virtual machine and/or container serviced by theoperating system and/or hypervisor. A client process 212 may read datafrom storage and/or write data to storage in the course of performingits primary function. The primary function of a client process 212,however, is not storage-related (i.e., the process is only concernedthat its data is reliably stored and is retrievable when needed, and notconcerned with where, when, or how the data is stored). Exampleapplications which give rise to such processes include: email servers,web servers, office productivity applications, customer relationshipmanagement (CRM), animated video rendering, genomics calculation, chipdesign, software builds, and enterprise resource planning (ERP).

A client application 212 may make a system call to the kernel 224 whichcommunicates with the VFS driver 208. The VFS driver 208 puts acorresponding request on a queue of the VFS frontend 202. If several VFSfrontends exist, the driver may load balance accesses to the differentfrontends, making sure a single file/directory is always accessed viathe same frontend. This may be done by sharding the frontend based onthe ID of the file or directory. The VFS frontend 202 provides aninterface for routing file system requests to an appropriate VFS backendbased on the bucket that is responsible for that operation. Theappropriate VFS backend may be on the same host or it may be on anotherhost.

A VFS backend 206 hosts several buckets, each one of them services thefile system requests that it receives and carries out tasks to otherwisemanage the virtual file system (e.g., load balancing, journaling,maintaining metadata, caching, moving of data between tiers, removingstale data, correcting corrupted data, etc.)

A VFS SSD agent 214 handles interactions with a respective storagedevice 216. This may include, for example, translating addresses, andgenerating the commands that are issued to the storage device (e.g., ona SATA, SAS, PCIe, or other suitable bus). Thus, the VFS SSD agent 214operates as an intermediary between a storage device 216 and the VFSbackend 206 of the virtual file system. The SSD agent 214 could alsocommunicate with a standard network storage device supporting a standardprotocol such as NVMe-oF (NVMe over Fabrics).

FIG. 3 illustrates another representation of a distributed file systemin accordance with an example implementation of this disclosure. In FIG.3, the element 302 represents memory resources (e.g., DRAM and/or othershort-term memory) and processing (e.g., x86 processor(s), ARMprocessor(s), NICs, ASICs, FPGAs, and/or the like) resources of variousnode(s) (compute, storage, and/or VFS) on which resides a virtual filesystem, such as described regarding FIG. 2 above. The element 308represents the one or more physical storage devices 216 which providethe long term storage of the virtual file system.

As shown in FIG. 3, the physical storage is organized into a pluralityof distributed failure resilient address spaces (DFRASs) 518. Each ofwhich comprises a plurality of chunks 310, which in turn comprises aplurality of blocks 312. The organization of blocks 312 into chunks 310is only a convenience in some implementations and may not be done in allimplementations. Each block 312 stores committed data 316 (which maytake on various states, discussed below) and/or metadata 314 thatdescribes or references committed data 316.

The organization of the storage 308 into a plurality of DFRASs enableshigh performance parallel commits from many—perhaps all—of the nodes ofthe virtual file system (e.g., all nodes 104 ₁-104 _(N), 106 ₁-106 _(M),and 120 ₁-120 _(J) of FIG. 1 may perform concurrent commits inparallel). In an example implementation, each of the nodes of thevirtual file system may own a respective one or more of the plurality ofDFRAS and have exclusive read/commit access to the DFRASs that it owns.

Each bucket owns a DFRAS, and thus does not need to coordinate with anyother node when writing to it. Each bucket may build stripes across manydifferent chunks on many different SSDs, thus each bucket with its DFRAScan choose what “chunk stripe” to write to currently based on manyparameters, and there is no coordination required in order to do so oncethe chunks are allocated to that bucket. All buckets can effectivelywrite to all SSDs without any need to coordinate.

Each DFRAS being owned and accessible by only its owner bucket that runson a specific node allows each of the nodes of the VFS to control aportion of the storage 308 without having to coordinate with any othernodes (except during [re]assignment of the buckets holding the DFRASsduring initialization or after a node failure, for example, which may beperformed asynchronously to actual reads/commits to storage 308). Thus,in such an implementation, each node may read/commit to its buckets'DFRASs independently of what the other nodes are doing, with norequirement to reach any consensus when reading and committing tostorage 308. Furthermore, in the event of a failure of a particularnode, the fact the particular node owns a plurality of buckets permitsmore intelligent and efficient redistribution of its workload to othernodes (rather the whole workload having to be assigned to a single node,which may create a “hot spot”). In this regard, in some implementationsthe number of buckets may be large relative to the number of nodes inthe system such that any one bucket may be a relatively small load toplace on another node. This permits fine grained redistribution of theload of a failed node according to the capabilities and capacity of theother nodes (e.g., nodes with more capabilities and capacity may begiven a higher percentage of the failed nodes buckets).

To permit such operation, metadata may be maintained that maps eachbucket to its current owning node such that reads and commits to storage308 can be redirected to the appropriate node.

Load distribution is possible because the entire file system metadataspace (e.g., directory, file attributes, content range in the file,etc.) can be broken (e.g., chopped or sharded) into small, uniformpieces (e.g., “shards”). For example, a large system with 30k serverscould chop the metadata space into 128k or 256k shards.

Each such metadata shard may be maintained in a “bucket.” Each VFS nodemay have responsibility over several buckets. When a bucket is servingmetadata shards on a given backend, the bucket is considered “active” orthe “leader” of that bucket. Typically, there are many more buckets thanVFS nodes. For example, a small system with 6 nodes could have 120buckets, and a larger system with 1,000 nodes could have 8k buckets.

Each bucket may be active on a small set of nodes, typically 5 nodesthat that form a penta-group for that bucket. The cluster configurationkeeps all participating nodes up-to-date regarding the penta-groupassignment for each bucket.

Each penta-group monitors itself. For example, if the cluster has 10kservers, and each server has 6 buckets, each server will only need totalk with 30 different servers to maintain the status of its buckets (6buckets will have 6 penta-groups, so 6*5=30). This is a much smallernumber than if a centralized entity had to monitor all nodes and keep acluster-wide state. The use of penta-groups allows performance to scalewith bigger clusters, as nodes do not perform more work when the clustersize increases. This could pose a disadvantage that in a “dumb” mode asmall cluster could actually generate more communication than there arephysical nodes, but this disadvantage is overcome by sending just asingle heartbeat between two servers with all the buckets they share (asthe cluster grows this will change to just one bucket, but if you have asmall 5 server cluster then it will just include all the buckets in allmessages and each server will just talk with the other 4). Thepenta-groups may decide (i.e., reach consensus) using an algorithm thatresembles the Raft consensus algorithm.

Each bucket may have a group of compute nodes that can run it. Forexample, five VFS nodes can run one bucket. However, only one of thenodes in the group is the controller/leader at any given moment.Further, no two buckets share the same group, for large enough clusters.If there are only 5 or 6 nodes in the cluster, most buckets may sharebackends. In a reasonably large cluster there many distinct node groups.For example, with 26 nodes, there are more than 64,000 (26!/5!*(26−5)?)possible five-node groups (i.e., penta-groups).

All nodes in a group know and agree (i.e., reach consensus) on whichnode is the actual active controller (i.e., leader) of that bucket. Anode accessing the bucket may remember (“cache”) the last node that wasthe leader for that bucket out of the (e.g., five) members of a group.If it accesses the bucket leader, the bucket leader performs therequested operation. If it accesses a node that is not the currentleader, that node indicates the leader to “redirect” the access. Ifthere is a timeout accessing the cached leader node, the contacting nodemay try a different node of the same penta-group. All the nodes in thecluster share common “configuration” of the cluster, which allows thenodes to know which server may run each bucket.

Each bucket may have a load/usage value that indicates how heavily thebucket is being used by applications running on the file system. Forexample, a server node with 11 lightly used buckets may receive anotherbucket of metadata to run before a server with 9 heavily used buckets,even though there will be an imbalance in the number of buckets used.Load value may be determined according to average response latencies,number of concurrently run operations, memory consumed or other metrics.

Redistribution may also occur even when a VFS node does not fail. If thesystem identifies that one node is busier than the others based on thetracked load metrics, the system can move (i.e., “fail over”) one of itsbuckets to another server that is less busy. However, before actuallyrelocating a bucket to a different host, load balancing may be achievedby diverting writes and reads. Since each write may end up on adifferent group of nodes, decided by the DFRAS, a node with a higherload may not be selected to be in a stripe to which data is beingwritten. The system may also opt to not serve reads from a highly loadednode. For example, a “degraded mode read” may be performed, wherein ablock in the highly loaded node is reconstructed from the other blocksof the same stripe. A degraded mode read is a read that is performed viathe rest of the nodes in the same stripe, and the data is reconstructedvia the failure protection. A degraded mode read may be performed whenthe read latency is too high, as the initiator of the read may assumethat that node is down. If the load is high enough to create higher readlatencies, the cluster may revert to reading that data from the othernodes and reconstructing the needed data using the degraded mode read.

Each bucket manages its own distributed erasure coding instance (i.e.,DFRAS 518) and does not need to cooperate with other buckets to performread or write operations. There are potentially thousands of concurrent,distributed erasure coding instances working concurrently, each for thedifferent bucket. This is an integral part of scaling performance, as iteffectively allows any large file system to be divided into independentpieces that do not need to be coordinated, thus providing highperformance regardless of the scale.

Each bucket handles all the file systems operations that fall into itsshard. For example, the directory structure, file attributes and filedata ranges will fall into a particular bucket's jurisdiction.

An operation done from any frontend starts by finding out what bucketowns that operation. Then the backend leader, and the node, for thatbucket is determined. This determination may be performed by trying thelast-known leader. If the last-known leader is not the current leader,that node may know which node is the current leader. If the last-knownleader is not part of the bucket's penta-group anymore, that backendwill let the front end know that it should go back to the configurationto find a member of the bucket's penta-group. The distribution ofoperations allows complex operations to be handled by a plurality ofservers, rather than by a single computer in a standard system.

If the cluster of size is small (e.g., 5) and penta-groups are used,there will be buckets that share the same group. As the cluster sizegrows, buckets are redistributed such that no two groups are identical.

Encrypted storage is important to many different applications. Forexample, finance application must be secured according to the FederalInformation Processing Standard (FIPS), and healthcare applications mustbe secured according to the Health Insurance Portability andAccountability Act (HIPPA).

Encryption may be required for stored data. For example, if one or morestorage devices are compromised, encryption of the stored data preventsthe recovery of clear text data.

Encryption may also be required “on-the-fly” for data that istransmitted over a network. For example, encryption on the “on-the-fly”prevents eavesdropping and a man-in-the-middle trying to meddle with thedata.

FIG. 4 illustrates an example of a computing device 401 in an encryptedfile system 400. The computing device comprising a frontend 403 and abackend 405. The frontend 403 may encrypt and decrypt data on the clientside as it enters and leaves the system. The frontend 403 is operable toencrypt data as it is written to a data file in the system 400. Thefrontend 403 is also operable to decrypt data as it is read from a datafile in the system 400.

The frontend 403 encrypts the data at least according to a file key 413.This file key 413 may be rotated by copying the data file. The file key413 (e.g., one key per file) may be provided to a client for frontendencryption and decryption. This file key 413 may be generated by thefile system 401 with a FIPS-approved secure random number generator. Ifthe file key 413 is to be saved, the file key 415 may be encrypted by afile system key 415. Additionally, the file system id and the inode idmay be used as authenticated data for the file key 413. File keys can berotated by copying the file. When the file is copied, the contents willbe re-encrypted with a newly generated file key.

The file system key 415 (e.g., one key per each file system) shouldnever leave the file system's boundaries. The file system key 415 may begenerated by a key management system/server (KMS). If the file systemkey 415 is to be saved, the file system key may be encrypted by acluster key 417. Additionally, the cluster id and the file system id maybe used as authenticated data for the file system key 415. The filesystem key 415 may be rotated instantly by the file system 400. Forexample, the file system 400 may request that the KMS generates a newkey for a specified file system. Newly created files will have theirfile key 413 encrypted with the latest file system key 415, and updatedfiles may have their file key 413 re-encrypted with the latest filesystem key 415.

The file key 413 may be encrypted by a file system key 415. Furthermore,the file system key 415 may be encrypted by a cluster key 417. The filekey 413 may be re-encrypted when the file system key 415 is rotated, andthe file system key 415 may be re-encrypted when the cluster key 417 isrotated.

The backend comprises a plurality of buckets 407 a, 407 b . . . 407 m.The computing device 401 is operably coupled to a plurality of storagedevices 409 a, 409 b, 409 c, 409 d . . . 407 n, e.g. SSD's. The numberof buckets may the less than, greater than or equal to the number ofstorage devices.

Each bucket 407 x of the plurality of buckets 407 a, 407 b . . . 407 mis operable build a failure-protected stripe 411 x that comprises aplurality of storage blocks (e.g., block x1, block x2 and block x3). Theplurality of storage blocks comprises encrypted data as well as errordetection and/or error correction coding. For illustration, stripe 411 acomprises block a1, block a2 and block a3; stripe 411 b comprises block131, block b2 and block b3; and stripe 411 c comprises block c1, blockc2 and block c3. The number of blocks in a stripe may be less than,greater than or equal to three. Each storage block of a particularstripe is located in a different storage device of the plurality ofstorage devices. All failure-protected stripes 411 built by theplurality of buckets 407 in the backend 405 are in a common file system400 associated with the file system key 415.

FIG. 5 illustrates an example of a cluster 501 of computing devices 401a, 401 b, 401 c . . . 401 p. The cluster 501 of computing devices isassociated with the cluster key 417. The cluster key 417 (e.g., one keyper each cluster) should never leave the cluster's boundaries. Thecluster key 417 may be generated by a KMS. The cluster key can berotated instantly by the KMS. Upon rotation, the KMS re-encrypts eachfile system key 415, and the old cluster key can be destroyed. A filesystem does not need to be aware of the rotation. When a client (e.g.,computing device 401 b or 401 c) joins the cluster 501, it registers apublic key 503 with the leader. Each client node generates a long-termpublic/private key pair 503 on startup.

Network-encryption keys may be negotiated by two nodes (e.g., computingdevice 401 b or 401 c) for encrypting communication between those twonodes. Network interactions between nodes, including system nodes andclient nodes, are called remote procedure calls (RPCs). RPCs can marktheir arguments, output parameters and return value as encrypted. RPCsmay encrypt their argument payloads using a pre-negotiated key knownonly to the two RPC endpoints (e.g., nodes). On-demand, each client maynegotiate a session key 507 with each system node it connects to.Session keys may be negotiated with perfect forward security usingephemeral key pairs (using. e.g., ephemeral key pair generator 505)signed with the long-term key pairs (e.g., long-term key 503 b and 503c) that are generated by each node (e.g., computing device 401 b or 401c) when it was added to the cluster 501.

System-to-system keys may be used to reduce the time until anewly-started server can connect to other servers. Upon joining, thenewly-started server may receive a key from the file system leader. Thissystem-to-system key is encrypted and saved in a configuration. RPCsfrom servers to ServerA may use a configuration denoted as, for example,“config.serverkeys [A].”

To authenticate a client, an administrator may generate a token orcertificate that can be used by clients to join the cluster. The tokenmay be time-limited and configurable, by an administrator, based on achallenge-response mechanism. The token may identify a specific machine(e.g., my IP address or instance ID). The token may identify a clientclass, thereby allowing many machines to join using the same token. Thetoken may also be revoked by the administrator. When a token is revoked,new clients will not be able to join using the token, and an existingclient that joined using the token will be disconnected unless theexisting client has an updated and valid token.

To authorize mounts, an administrator can configure which clients(either specific machines or groups of machines) may mount which filesystems. This authorization is verified when a client attempts to mountthe file system. A client that has not mounted the file system may beprevented from accessing the file system. The administrator may specifywhether the allowed access is read only, write only or read/write. Theadministrator may also allow a client to mount as root (e.g., rootsquashor no rootsquash).

Each file system may have a filename-encryption key that may be derivedfrom the file system key. When a client mounts a file system, the clientmay receive a filename-encryption key. The client may create files withencrypted filenames using symmetric encryption.

File data in object storage (e.g., tiered data for backups and restores)may be encrypted the same way as on-disk data. When uploading to theobject storage, the file data may contain file system parameters such asthe encrypted file system key. For example, the file system key may beencrypted with a special “backup-specific cluster key” that is availablevia a KMS.

If a cluster is discarded and a new cluster is created by downloading afile system from the object store, the downloaded file system may bedecrypted by the file system key with the backup-specific key andre-encrypted with the cluster's new cluster key.

When stowing a snapshot to a simple storage service (S3) the file systemkeys may be re-encrypted using a new cluster key. The “stow” command maycontain the new cluster key ID and credentials to access it from theKMS. The existing file system keys may be re-encrypted with the newcluster key and saved in the S3 with the rest of the file systemmetadata. Restoring a stowed snapshot requires accessing the samecluster-key specified when stowing.

System page cache may be encrypted to reduce the possibility that memory(e.g., kernel memory) will be accessed by another process. To combatthis unauthorized access, encrypted data received by a kernel page cachemay not be decrypted immediately once it is received in the network.Because the kernel will store encrypted data, a rogue application wouldbe unable to access to it. When the process that actually own the filesaccesses the encrypted data, the kernel driver, with the help of thefrontend, will decrypt the data while copying it to the memory space ofthat process. System memory will, therefore, be encrypted until it isaccessed legitimately.

The encryption and decryption processes may leverage hardwareacceleration. When performing the encryption, the file system may lookfor hardware that is capable of accelerating the encryption process. Thefile system may rank which hardware is more efficient (e.g., standardCPU opcodes, acceleration within the CPU, encryption co-processor onthe, or a network card) and use the most efficient way of encrypting thedecrypting the data.

Self-encrypting drives (SED) may be used in addition to theaforementioned encryption. On top of the standard encryption code in thefile system, an SED may encrypt the already encrypted data that is beingreceived.

Encryption at of stored data may use symmetric encryption keys, wherethe same key is used for encrypting and decrypting the data. Based onthe file system configuration, there are several options for keymanagement.

The same key may be used for all the drives (e.g., SSD's). If that keyis compromised, however, all of the drives can be read.

A different key may be used for each SSD. These keys may be managed bythe file system randomly picking and storing the different encryptionkeys for each SSD. Alternatively, these keys may be managed by aclient's own key management system that handles creating and storingencryption keys. The file system may authenticate these key with theclient's KSM and request the right key for each SSD. Until the nextreboot the SSD holds the key and can use it.

FIG. 6 illustrates an example of a file system 601 in accordance withone or more embodiments of the present disclosure. The file system 601comprises a plurality of storage devices 607 a, 607 b, 607 c, 607 d . .. 607 n and a cluster of one or more computing devices 605 a, 605 b . .. 605 m. Each computing device (e.g., 605 a, 605 b . . . 605 m) of thecluster is operable to build one or more failure-protected stripes(e.g., 611 a, 611 b . . . 611 m). Each failure-protected stripe (e.g.,611 a, 611 b and 611 m) comprises a plurality of storage blocks (e.g.,block a1, a2 and a3; block 131, b2 and b3; and block m1, m2 and m3).Each storage block (e.g., block a1, a2 and a3) of a failure-protectedstripe (e.g., 611 a) is located in a different storage device (e.g., 607a, 607 b and 607 c) of the plurality of storage devices (e.g., 607 a,607 b, 607 c, 607 d . . . 607 n).

A client 609 a is operable to request access to at least a portion ofthe file system 601 via a stateless mount string. The stateless mountstring may comprise data that is encrypted by a cryptographically-signedkey. The stateless mount string may also encapsulate one or moreauthentication parameters, such as object storage stateless credentialsand/or quality of service parameters.

To authenticate a client, an administrator may request that the filesystem generates a cryptographically-signed key that can be used by aparticular client to access a limited portion of the file system domain.Authorization of the client may be verified according to thecryptographically-signed key when a client attempts to access the filesystem. An unauthorized client will be prevented from accessing the filesystem.

Access to a portion of the file system 601 may be granted independentlyof previous requests (or other communication) by the client. Multipleclients 609 a and 609 b may access the file system 601 concurrently.Multiple clients 609 a and 609 b may be mapped to a common useridentification number. The cryptographically-signed key may prevent aclient from accessing portions of the file system. For example, a firstclient 609 a may access a first portion of the file system, and a secondclient 609 b may access a second portion of the file system. The firstportion of the file system may or may not overlap with the secondportion of the file system.

The cryptographically-signed key may also have the ability to limitaccess based on timing specified. For example, a client may be grantedaccess for a portion of the namespace for a week. After that week iselapsed, access is no longer granted. Alternatively, write access maychanges to read access after that week. If the client wants to continueaccessing the namespace, a new cryptographically-signed key will need tobe generated on the system by the administrator, and the newcryptographically-signed key will need to be provided to the client.

The client will then either re-mount (un-mount, and mount, easy butclunky) or actually engage in a mode that a overlapped mount starts withthe new credentials, pass everything to it transparently then remove theold mount that is going to lose access soon.

The stateless mount string brings the object storage statelesscredentials parameters to the mount options capability. By utilizingstateless mount strings, client nodes may be added to a large cluster,while only users with permissions can actually access different portionsof that file system with the correct quality of service (QoS)parameters. QoS parameters may allow multiple concurrent mounts, andeach mount may be associated with a priority or permission.

The stateless mount string may incorporate (Lightweight Directory AccessProtocol) LDAP to locate particular storage portions and/or computingdevices in the file system. For example, the encapsulated QoS parametersmay be associated local permissions. The file system may maintain anaccess control list (ACL) that specifies which clients are grantedaccess to particular objects, as well as what operations are allowed ongiven objects.

FIG. 7 is a flowchart illustrating an example method for accessing afile system in accordance with one or more embodiments of the presentdisclosure. In block 701, a first stateless mount string is receivedfrom a first client. In block 703, the first client is granted access toa first portion of a file system according to the first stateless mountstring. The access to the first portion of the file system isindependent of any request prior to the first stateless mount string. Inblock 705, a second stateless mount string is received from a secondclient. In block 707, the second client is granted access to a secondportion of a file system according to the second stateless mount string.The first client and the second client may access the file systemconcurrently.

If the first portion of a file system overlaps with a second portion ofa file system, contention may be resolved according to a QoSprioritization in block 707. For example, the second client may beprevented from accessing the first portion of the file system if thesecond stateless mount string is associated with a lower priority thanthe first stateless mount string.

While the present method and/or system has been described with referenceto certain implementations, it will be understood by those skilled inthe art that various changes may be made and equivalents may besubstituted without departing from the scope of the present methodand/or system. In addition, many modifications may be made to adapt aparticular situation or material to the teachings of the presentdisclosure without departing from its scope. Therefore, it is intendedthat the present method and/or system not be limited to the particularimplementations disclosed, but that the present method and/or systemwill include all implementations falling within the scope of theappended claims.

As utilized herein the terms “circuits” and “circuitry” refer tophysical electronic components (i.e. hardware) and any software and/orfirmware (“code”) which may configure the hardware, be executed by thehardware, and or otherwise be associated with the hardware. As usedherein, for example, a particular processor and memory may comprisefirst “circuitry” when executing a first one or more lines of code andmay comprise second “circuitry” when executing a second one or morelines of code. As utilized herein, “and/or” means any one or more of theitems in the list joined by “and/or”. As an example, “x and/or y” meansany element of the three-element set {(x), (y), (x, y)}. In other words,“x and/or y” means “one or both of x and y”. As another example, “x, y,and/or z” means any element of the seven-element set {(x), (y), (z), (x,y), (x, z), (y, z), (x, y, z)}. In other words, “x, y and/or z” means“one or more of x, y and z”. As utilized herein, the term “exemplary”means serving as a non-limiting example, instance, or illustration. Asutilized herein, the terms “e.g.,” and “for example” set off lists ofone or more non-limiting examples, instances, or illustrations. Asutilized herein, circuitry is “operable” to perform a function wheneverthe circuitry comprises the necessary hardware and code (if any isnecessary) to perform the function, regardless of whether performance ofthe function is disabled or not enabled (e.g., by a user-configurablesetting, factory trim, etc.).

What is claimed is: 1-20. (canceled)
 21. A system comprising: a localcomputing device; and a plurality of storage devices, wherein: thecomputing device is operable to build a plurality of failure-protectedstripes, each failure-protected stripe comprise a plurality of storageblocks, each storage block of a failure-protected stripe is located in adifferent storage device of the plurality of storage devices, and theplurality of failure-protected stripes is accessible by a first externalcomputing device, and a request, to access the plurality offailure-protected stripes, comprises a stateless mount string.
 22. Thesystem of claim 21, wherein the access to the plurality offailure-protected stripes is granted independently of any previousrequests by the first external computing device.
 23. The system of claim21, wherein the first external computing device and a second externalcomputing device are operable to access the plurality offailure-protected stripes concurrently.
 24. The system of claim 23,wherein the first external computing device and the second externalcomputing device are mapped to a common user identification number. 25.The system of claim 23, wherein the second external computing device isprevented from accessing a failure-protected stripes that is beingaccessed by the first external computing device.
 26. The system of claim21, wherein the stateless mount string is encrypted by acryptographically-signed key.
 27. The system of claim 21, wherein thestateless mount string comprises data encrypted by acryptographically-signed key.
 28. The system of claim 21, wherein thestateless mount string encapsulates one or more authenticationparameters.
 29. The system of claim 28, wherein the one or moreauthentication parameters comprise object storage stateless credentials.30. The system of claim 28, wherein the one or more authenticationparameters comprise a quality of service parameter.
 31. A methodcomprising: receiving a stateless mount string from a first externalcomputing device; and granting the first external computing deviceaccess to a file system according to the stateless mount string,wherein: the file system comprises a plurality failure-protectedstripes, each failure-protected stripe comprises a plurality of storageblocks, and each storage block of a failure-protected stripe is locatedin a different storage device.
 32. The method of claim 31, wherein theaccess to the file system is independent of any request prior to thestateless mount string.
 33. The method of claim 31, wherein the methodcomprises: granting a second external computing device access to thefile system.
 34. The method of claim 33, wherein the method comprises:mapping the first external computing device and the second externalcomputing device to a common user identification number.
 35. The methodof claim 33, wherein the method comprises: preventing the secondexternal computing device from accessing a portion of the file systembeing accessed by the first external computing device.
 36. The method ofclaim 31, wherein the method comprises: decrypting the stateless mountstring using a cryptographically-signed key.
 37. The method of claim 31,wherein the stateless mount string comprises data encrypted by acryptographically-signed key.
 38. The method of claim 31, wherein thestateless mount string encapsulates one or more authenticationparameters.
 39. The method of claim 38, wherein the one or moreauthentication parameters comprise object storage stateless credentials.40. The method of claim 38, wherein the one or more authenticationparameters comprise a quality of service parameter.